718itbiz/ldap-client
1
0
Fork 0
Code Issues 1 Pull Requests Releases Wiki Activity
ldap-client/index.sh
William Mantly 7dee7453fe
vars are good
2021-04-21 13:45:37 -04:00

130 lines
5.7 KiB
Bash
Executable File
Raw Blame History

#!/bin/bash
# Stop this script on any error.
set -e
# Pull in the mustache template library for bash
source lib/mo
if [ ! -f ./ldap.vars ]; then
echo "ldap.vars file not found!"
echo "Please copy ldap.vars.template to ldap.vars and edit it."
exit 1
fi
source ldap.vars
export current_host=`hostname`
# Configure the options for the LDAP packages based on debian or ubuntu
if grep -qiE "^NAME=\"debian" /etc/os-release; then
echo "libnss-ldap libnss-ldap/rootbindpw string $ldap_admin_password" | debconf-set-selections
echo "libnss-ldap libnss-ldap/bindpw string $ldap_bind_password" | debconf-set-selections
echo "libnss-ldap libnss-ldap/dbrootlogin boolean true" | debconf-set-selections
echo "libnss-ldap libnss-ldap/binddn string $ldap_bind_dn" | debconf-set-selections
echo "libnss-ldap libnss-ldap/confperm boolean false" | debconf-set-selections
echo "libnss-ldap libnss-ldap/rootbinddn string $ldap_admin_dn" | debconf-set-selections
echo "libnss-ldap libnss-ldap/dblogin boolean false" | debconf-set-selections
echo "libnss-ldap libnss-ldap/override boolean true" | debconf-set-selections
echo "shared shared/ldapns/ldap-server string ldap://$ldap_host" | debconf-set-selections
echo "shared shared/ldapns/base-dn string $ldap_base_dn" | debconf-set-selections
echo "shared shared/ldapns/ldap_version string 3" | debconf-set-selections
echo "libpam-ldap libpam-ldap/bindpw string $ldap_bind_password" | debconf-set-selections
echo "libpam-ldap libpam-ldap/rootbindpw string $ldap_admin_password" | debconf-set-selections
echo "libpam-ldap libpam-ldap/dblogin boolean true" | debconf-set-selections
echo "libpam-ldap libpam-ldap/pam_password string crypt" | debconf-set-selections
echo "libpam-ldap libpam-ldap/rootbinddn string $ldap_admin_dn" | debconf-set-selections
echo "libpam-ldap libpam-ldap/override boolean true" | debconf-set-selections
echo "libpam-ldap libpam-ldap/binddn string $ldap_bind_dn" | debconf-set-selections
echo "libpam-ldap libpam-ldap/dbrootlogin boolean true" | debconf-set-selections
else
echo "ldap-auth-config ldap-auth-config/ldapns/ldap-server string ldap://$ldap_host" | debconf-set-selections
echo "ldap-auth-config ldap-auth-config/bindpw string $ldap_bind_password" | debconf-set-selections
echo "ldap-auth-config ldap-auth-config/rootbindpw string $ldap_admin_password" | debconf-set-selections
echo "ldap-auth-config ldap-auth-config/dbrootlogin boolean true" | debconf-set-selections
echo "ldap-auth-config ldap-auth-config/dblogin boolean true" | debconf-set-selections
echo "ldap-auth-config ldap-auth-config/ldapns/ldap_version string 3" | debconf-set-selections
echo "ldap-auth-config ldap-auth-config/pam_password string md5" | debconf-set-selections
echo "ldap-auth-config ldap-auth-config/ldapns/base-dn string $ldap_base_dn" | debconf-set-selections
echo "ldap-auth-config ldap-auth-config/move-to-debconf boolean true" | debconf-set-selections
echo "ldap-auth-config ldap-auth-config/rootbinddn string $ldap_admin_dn" | debconf-set-selections
echo "ldap-auth-config ldap-auth-config/binddn string $ldap_bind_dn" | debconf-set-selections
echo "ldap-auth-config ldap-auth-config/override boolean true" | debconf-set-selections
fi
# Install the requires packages for LDAP PAM telling apt to ignore any interactive options
DEBIAN_FRONTEND=noninteractive apt install -y libnss-ldap libpam-ldap ldap-utils nscd
# Configure the system to use LDAP for PAM. Some versions include `auth-client-config` and others dont.
# `auth-client-config` requires python2.x, so support for it is dropping.
if which auth-client-config >/dev/null; then
auth-client-config -t nss -p lac_ldap
else
sed -i '/passwd/ s/$/ ldap/' /etc/nsswitch.conf
sed -i '/group/ s/$/ ldap/' /etc/nsswitch.conf
sed -e s/use_authtok//g -i /etc/pam.d/common-password
fi
pam-auth-update --enable ldap
# Enable the system to create home directories for LDAP users who do not have one on first login
pam-auth-update --enable mkhomedir
echo "session required pam_mkhomedir.so skel=/etc/skel umask=077" >> /etc/pam.d/common-session
# Restart the Name Service cache daemon, unsure if this is required.
systemctl restart nscd
systemctl enable nscd
# Apply LDAP group filter for PAM LDAP login
# Different distros/versions read the filter from different places.
PAM_LDAP_filter="
pam_password_prohibit_message Please visit $sso_url to change your password.
nss_base_group ou=Groups,$ldap_base_dn?one
nss_schema rfc2307
pam_filter &(|(memberof=cn=host_access,ou=Groups,$ldap_bind_dn)(memberof=cn=host_`hostname`_access,ou=Groups,$ldap_bind_dn))
"
if grep -qiE "^NAME=\"debian" /etc/os-release; then
echo "$PAM_LDAP_filter" >> /etc/pam_ldap.conf
fi
echo "$PAM_LDAP_filter" >> /etc/ldap/ldap.conf
echo "$PAM_LDAP_filter" >> /etc/ldap.conf
## Set up sudo-ldap
export SUDO_FORCE_REMOVE=yes
apt install -y sudo-ldap
sudo_ldap_template="$(cat files/sudo-ldap.conf)"
echo "$sudo_ldap_template" | mo > /etc/sudo-ldap.conf
## Set up SSHkey via LDAP
sudo_ldap_template="$(cat files/ldap-ssh-key.sh)"
echo "$sudo_ldap_template" | mo > /usr/local/bin/ldap-ssh-key
chmod +x /usr/local/bin/ldap-ssh-key
echo "AuthorizedKeysCommand /usr/local/bin/ldap-ssh-key" >> /etc/ssh/sshd_config
echo "AuthorizedKeysCommandUser nobody" >> /etc/ssh/sshd_config
service ssh restart
if [ -z "$sso_token" ]; then
curl '$sso_url/api/group/' \
-H 'auth-token: $sso_token' \
-H 'content-type: application/json; charset=UTF-8' \
--data-binary "{\"name\":\"host_$hostname_access\",\"description\":\"Access for $hostname\"}"
curl '$sso_url/api/group/' \
-H 'auth-token: $sso_token' \
-H 'content-type: application/json; charset=UTF-8' \
--data-binary "{\"name\":\"host_$hostname_admin\",\"description\":\"sudo for $hostname\"}"
fi
Reference in New Issue View Git Blame Copy Permalink